CVE-2022-47911

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the backup services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01	Third Party Advisory US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:sewio:real-time_location_system_studio:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:32

Type	Values Removed	Values Added
Summary		(es) El sistema de ubicación en tiempo real (RTLS) Studio de Sewio, versión 2.0.0 hasta la versión 2.6.2 inclusive, no valida correctamente el nombre del módulo de entrada para los servicios de respaldo del software. Esto podría permitir que un atacante remoto acceda a funciones confidenciales de la aplicación y ejecute comandos arbitrarios del sistema.
References	~~() https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01 - Third Party Advisory, US Government Resource
CVSS	v2 : ~~unknown~~ v3 : ~~7.2~~	v2 : unknown v3 : 9.1

Information

Published : 2023-01-18 01:15

Updated : 2024-11-21 07:32

NVD link : CVE-2022-47911

Mitre link : CVE-2022-47911

CVE.ORG link : CVE-2022-47911

JSON object : View

Products Affected

sewio

real-time_location_system_studio

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2022-47911", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-01-18T01:15:13.040", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Sewio\u2019s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the backup services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.\n\n"}, {"lang": "es", "value": " El sistema de ubicaci\u00f3n en tiempo real (RTLS) Studio de Sewio, versi\u00f3n 2.0.0 hasta la versi\u00f3n 2.6.2 inclusive, no valida correctamente el nombre del m\u00f3dulo de entrada para los servicios de respaldo del software. Esto podr\u00eda permitir que un atacante remoto acceda a funciones confidenciales de la aplicaci\u00f3n y ejecute comandos arbitrarios del sistema."}], "lastModified": "2024-11-21T07:32:31.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sewio:real-time_location_system_studio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BFF34E9-1653-45FC-B8F1-4A61931A0779", "versionEndIncluding": "2.6.2", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}